Banks scramble to protect ATMs from potential hackers

This is an archived article and the information in the article may be outdated. Please look at the time stamp on the story to see when it was last updated.

Banks scramble to protect ATMs from potential hackers

(CNNMoney) — Banks everywhere are in a race against time to upgrade their ATMs before they become hot targets for hackers.

An estimated 95% of American bank ATMs run on Windows XP, and Microsoft is killing off tech support for that operating system on April 8. That means Microsoft will no longer issue security updates to patch holes in Windows XP, leaving those ATMs exposed to new kinds of cyberattacks.

“This isn’t a Y2K thing, where we’re expecting the financial system to shut down. But it’s fairly serious,” said Kurtis Johnson, an ATM expert with U.S. manufacturer Triton.

If banks fail to upgrade their ATMs to a newer version of Windows by April, customers might be at risk. If hackers discover new flaws in Windows XP, those bugs will go unaddressed, leaving attackers free to exploit them.

It can’t yet be known what hackers could do with a Windows XP ATM after April 8. But the prospect of providing a potentially compromised machine with your account and PIN information is unsettling.

Major banks are now cutting special deals with Microsoft to extend life support for their Windows XP machines while they replace their fleet of ATMs. JPMorgan bought a one-year extension of service and plans to start upgrading ATMs to Windows 7 at Chase banks in July. Citibank and Wells Fargo said they’re also upgrading ATMs, but they wouldn’t provide details about their plans. Bank of America did not respond to requests for comment.

Replacing the operating systems on ATMs is a major undertaking. In the United States, there are 210,500 bank ATMs, about 200,000 of which run on Windows XP, according to Retail Banking Research in London. In most cases, banks must upgrade the software one ATM at a time, and some will need the entire computer inside replaced too. Labor included, it’s a process that experts in the ATM industry say could cost anywhere between $1,000 and $3,500 apiece.

“Once they start using an operating system, they’ll ride it as long and as hard as they can,” said Wes Dunn, a sales executive at ATM manufacturer Genmega.

It might sound odd that ATMs are running on aging software better suited to a home PC. In fact, security experts have chastised the financial industry for putting ATMs on a PC operating system in the first place. They argue ATMs should be using software that is scaled down and less buggy, such as Linux.

But banks long ago decided that Microsoft’s familiar way of displaying windows and text would sit well with customers.

Upgrading to Windows 7 or 8 will give ATMs more of a sleek feel that resembles the latest apps on tablets and smartphones, said Jeff Dudash, a spokesman for ATM manufacturer NCR.

One ATM manufacturer, Diebold, says banks are using this opportunity to add newer card readers to their ATMs that accept more secure chip-and-PIN cards. Those cards have already been adopted worldwide but have yet to grow popular in the United States.

Banks that retrofit their ATMs with new hardware will, in the future, be able to upgrade their entire fleets of ATMs with a click of a button. Modern technology allows companies to push software updates via their networks instead of paying each ATM a physical visit.

Ironically, bank customers have less to worry about from those nondescript ATMs found in malls, bars and tiny convenience stores. Those 208,000 independently-run kiosks, built by Triton, Genmega and Nautilus Hyosung, make up the other half of the nation’s ATMs. And nearly all of them run on an even older, simpler operating system called Windows CE — which Microsoft still supports.

3 comments

Mary

What I want to know is why we’re making an article giving pertinent information to hackers. If I was a hacker and saw this article I’d be trying that much harder to get ATM information before all these updates occur. It’s like telling a burglar that your house alarm is going to be down for the next few weeks. It only gives them more incentive.

Peter

Not sure where you get your info from but most of that article
Is not true. Windows XP will be supported through next year
For atms. Windows 7 is still not ready for networks.July maybe.
Service pack 3 was the last update so that’s about 2 or 3 years old
All the hackers come over to the US because we have no smart cards
And there is no guarantee of that until 2016 when banks have to have that
Done by per regulations.

Deeptha

This article is more exaggerated than real. XP is there for quite a long time and virtually bugs free. And the ATMs are not connected to the internet. They are in Bank with high secure network and if somebody can hack an ATM they can simply hack the account database too which is more useful. Unless ATM software releases new version we can use old XP on old machines with old hardware. But new machines should be with windows 7 Due to new motherboards usage for PC component and no drivers for XP. And support for embedded system is till 2016 no rush. With Solidcore and PCI compliance ATMs are secure than a PC. If XP is vulnerable the same way windows 7